Hackers Breached Colonial Pipeline Using Compromised Password

An anonymous reader quotes a report from Bloomberg: The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password, according to a cybersecurity consultant who responded to the attack. Hackers gained entry into the networks ofColonial Pipeline Co.on April 29 through a virtual private network account, which allowed employees to remotely access the company's computer network, said Charles Carmakal, senior vice president at cybersecurity firm Mandiant, part of FireEye Inc., in an interview. The account was no longer in use at the time of the attack but could still be used to access Colonial's network, he said.

The account's password has since been discovered inside a batch of leaked passwords on the dark web. That means a Colonial employee may have used the same password on another account that was previously hacked, he said. However, Carmakal said he isn't certain that's how hackers obtained the password, and he said investigators may never know for certain how the credential was obtained. The VPN account, which has since been deactivated, didn't use multifactor authentication, a basic cybersecurity tool, allowing the hackers to breach Colonial's network using just a compromised username and password. It's not known how the hackers obtained the correct username or if they were able to determine it on their own. "We did a pretty exhaustive search of the environment to try and determine how they actually got those credentials," Carmakal said. "We don't see any evidence of phishing for the employee whose credentials were used. We have not seen any other evidence of attacker activity before April 29."

A little more than one week later, on May 7, an employee in Colonial's control room saw a ransom note demanding cryptocurrency appear on a computer just before 5 a.m. The employee notified an operations supervisor who immediately began to start the process of shutting down the pipeline, Colonial Chief Executive Officer Joseph Blount said in an interview. By 6:10 a.m., the entire pipeline had been shut down, Blount said. It was the first time Colonial had shut down the entirety of its gasoline pipeline system in its 57-year history, Blount said. "We had no choice at that point," he said. "It was absolutely the right thing to do. At that time, we had no idea who was attacking us or what their motives were."

Amatuer hour at Colonial Pipeline.

[Gravis Zero]

The account was no longer in use at the time of the attack but could still be used to access Colonial's network

User accounts should be setup to automatically lock after a certain amount of inactivity and accounts of former employees should definitely be scrubbed. Now if it was a shared account then that is even worse.

Any company that company that has a contract with any level of government should be subject to involuntary pen-testing. Too much is at stake to leave it up to cheapskate executives who don't give a shit about security.

Re:Amatuer hour at Colonial Pipeline.

[Bert64]

Many governments do require their own internal departments and critical national infrastructure to be pentested.

There are a LOT of problems with this approach however... For instance quite often the scope of testing will be overly restrictive either intentionally to hide problems from audits, or for other reasons such as stability.

For instance a pentest will usually not perform password guessing attempts because account lockout functions are extremely common and you could easily cause a denial of service. While the pentest company would get in big trouble for locking out every account and disrupting business, a malicious attacker isn't going to care what disruption they might cause.

A pentest will often be scoped as "here are the ip addresses of the servers that host ", but those will only be the frontend user facing addresses. Going directly at the front door of a particular system might be quite secure, but what about other routes? Attack the users, attack the sysadmins, attack the management infrastructure, compromise the backups etc. There are MANY ways to attack most things, but pentests are often explicitly limited to direct attacks against the visible face of a system.

Ransomware operators don't work this way, they don't attack a system through the front door. They are opportunistic, they will find something that they can compromise first and then see how they can leverage that system for further gain. This case being a perfect example of that, a password was compromised from somewhere else and used against the colonial vpn.

Re:

[h33t l4x0r]

Pen testing wouldn't help. You clearly have unrealistic expectations of pen testers. Maybe they will run a dictionary attack, and pocket your money but that's it.

I know you think your guy will monitor dark web leaks for compromise passwords but guess what? You've been watching way too much TV.

God-damn, the lack of common sense in this thread is making me uncomfortable.

Re:

[Bert64]

That's the point, a pentester probably won't even run a dictionary attack, because from an external perspective he has no idea if you have things like account lockouts configured.
If a pentester runs a dictionary attack and locks out his client's accounts then he'll get in trouble, so he doesn't do that. Automated vulnerability scanners also don't do that, for the exact same reason.

Re:

[h33t l4x0r]

Wouldn't have helped if the user was active. A OTP would have helped but they're fucking annoying.

Re:Amatuer hour at Colonial Pipeline.

[ceoyoyo]

If you're logging into critical infrastructure, "fucking annoying" is not only acceptable, it's desirable. Also, your threshold for annoying is awfully low. If you find copying a few numbers a problem, you probably shouldn't be logging into critical systems.

Re: Amatuer hour at Colonial Pipeline.

[flyingfsck]

Well, admin123 isnâ(TM)t exactly hard to guess, is it?

Re:

[dbialac]

No, there shouldn't be any remote access into this kind of account in the first place. Remote access is convenient, but far from critical. The results of this kind of slip up, on the other hand, is detrimental to the entire US economy.

Re:

[h33t l4x0r]

Remote access is required, dummy. Read TFS. VPN with 2FA would have been fine but they didn't turn it on, presumably because it's annoying. Which is totally understandable for most applications, but guess what? You're fucking Colonial Pipeline. You need to do better, you god-damned retards.

Re:

[fibonacci8]

Fine, calling your bluff. I read the article. It doesn't explain that remote access was required. It does describe that Colonial Pipeline wanted employees to use a VPN on something that shouldn't be allowed internet access in the first place though. Your move?

Re:

[h33t l4x0r]

For fuck sake, dude. TFA describes how not enabling 2FA enabled kids with access to (dark net?) leaked passwords to fuck with critical infrastructure. Your move I guess but please don't bother. The solution is to turn on 2FA.

Re:

[drinkypoo]

That's a solution. Removing access from unused accounts would have prevented this breach, though.

I have nothing against 2FA, so long as you use a hardware token and not your insecure-by-design cellphone. But it wasn't actually necessary here, just a good idea.

Re:

[h33t l4x0r]

Well I believe the actual security team got it right, but I'm willing to keep an open mind and suppose that a recommendation from drinkypoo might have changed everything. Just kidding, drinkypoo, you're actually a seriously dumb motherfucker and you're way out of your depth.

Re:

[drinkypoo]

Well I believe the actual security team got it right

You mean the security team that found that the account with excessive privileges was the way in? Yeah, I think so too.

Just kidding, drinkypoo, you're actually a seriously dumb motherfucker

Obviously, I wasted time talking to you.

Re:

[h33t l4x0r]

Um, no I mean the team that identified lack of 2FA to be the problem (It's a no-brainer, folks). And yes, drinkypoo you really have no business weighing in here. Stick to politics or whatever other bullshit please.

Re:

[h33t l4x0r]

Great, now it's controversial to suggest the security experts know more than someone named "drinkypoo".

Re:

[dbialac]

Uhm, no. Remote access wasn't required for decades and still isn't required; it is and always a nice to have.

Re:

[mjwx]

The account was no longer in use at the time of the attack but could still be used to access Colonial's network

User accounts should be setup to automatically lock after a certain amount of inactivity and accounts of former employees should definitely be scrubbed. Now if it was a shared account then that is even worse.

Any company that company that has a contract with any level of government should be subject to involuntary pen-testing. Too much is at stake to leave it up to cheapskate executives who don't give a shit about security.

B-B-B-But proper security is hard and costs money, money that is needed for exec bonuses and share divs.

I've a few PCI-DSS "compliant" customers who let their environments go unpatched and un-upgraded until they get a security advisory from their PCI auditor... then they expect us to drop everything to fix their out of date environment first.

Also users that complain about password expiry, this is exactly the kind of attack that forcing users to change passwords is meant to prevent, so a password comp

Re:

[HiThere]

Password expiration has real problems though. Even with normal passwords one needs a password manager program to keep track of them. If they keep changing one is going to run into problems of people making things easy to remember. (Actually, that will happen anyway, but keeping changing makes things worse.)

The best solution is not to put controls accessible over the internet. Read access with proper security is acceptable, but control isn't. And, yes, that can be very inconvenient. Lots less inconveni

Re:

[Revek]

It happened almost as I envisioned it. Latest job the first thing I did was disable all the old passwords that were not in use. Deleted old email addresses and started changing all the admin passwords. The previous sysadmin tried to login to the VPN that night. They thought I was a miracle worker because all kinds of problems ceased overnight and I didn't do anything other than secure the network.

Re:

[Bigbutt]

Sadly, prior admins set up configurations using their accounts and not a service account so management is reluctant to let me remove accounts or reset passwords. When the last guy left, several things stopped and I had to hunt them down and fix them.

Don’t ask about docs. I’ve heard too many, “I don’t know how this worked in the past.” And “No idea how it was configured by the last guy”.

[John]

Re:

[ytene]

" Now if it was a shared account then that is even worse."

No.

If it was a shared account, that allowed VPN Access from outside the network on to the network, and it was single-factor in nature, then everyone from the CIO down to the person who was responsible for configuring that access should be fired.

Immediately.

It's 2021, people. There are literally no excuses left for not having "multi-factor" and/or "dial-back" and/or "manual-unlock-required" and/or "access only with an active incident ticke

which has since been deactivated

[blitz487]

Didn't see that one coming :-/

Existential failures

[Okian Warrior]

Brett Weinstein points out [youtube.com] that as a whole we're now in a position to completely trash civilization if the right things go wrong at the wrong time.

Basically, we're always doing a safety analysis assuming a single point of failure. That's fine when a single failure is limited in scope, such as a nuclear reactor shutting down, but the system is now so heavily cross dependant that cascade failures are likely to bring down the entire system.

A good example happened in Texas this winter, where a cold snap led to a cascade of failures that caused massive power outages and killed some people.

Another was Fukishima, where several unanticipated failures caused the reactor to melt down.

He points out that another Carrington event [wikipedia.org] would take out the electrical supply for months, and that resultant cascade failures would probably lead to nuclear plant meltdowns making recovery take several years. Gasoline would no longer be manufactured and could no longer be delivered, and food production would stop.

Maybe we should decouple our systems so that they can be run relatively independently, and plan for multiple simultaneous points of failure. In the case of Texas, the backup plants should perhaps have natural gas tanks on site, and enough diesel generation capacity to keep the pumps and heaters running so the system could operate even cut off from external electricity or natural gas. (At least for a while.)

I heard that the Colonial pipeline hack was in the billing systems. Perhaps once the scope of the attack was identified, the pipeline should have been restarted without the billing system operational. Colonial losing money might have been a good incentive and penalty for leaving their system so unprotected.

Re:

[CaptainLugnuts]

That's a nice sentiment, although it's totally wrong.

Texas Power was warned a decade ago about the exact conditions that lead the systemic failure. They did nothing to prepare.

Fukishima was also foreseen years in advance with nothing done to prepare.

What do they have in common? Corporate arrogance and malfeasance.

The only thing that fixes problems like these is criminal liability for the board members.

Re:

[ShanghaiBill]

The only thing that fixes problems like these is criminal liability for the board members.

Can you give any examples where criminal liability for board members fixed problems like these?

Re:

[sarren1901]

Of course not because boards are never held liable for anything. They just make all the big choices and reap all the benefits while never having to take responsibility for their failures and that of the companies they run.

Re:

[ShanghaiBill]

... and that of the companies they run.

Do you understand what a board of directors does?

Hint: They don't run companies.

Re:

[stabiesoft]

Really it is just stupidity. For example, my councilwoman in Austin is one of the saner ones. And yet, even though the fundamental reason for my 2 of my 8 hour+ power outages was funcking lack of tree trimming, and the 3rd lasted an extra 3 days because of lack of tree trimming, I see a story on the news last night about how the city is adding people to the payroll to trim the brush on park/greenbelt trails around the city. My councilwoman spearheaded it. HELLO. Maybe put those same people to work on cleari

Re:

[Areyoukiddingme]

In Nova Scotia, where i live, the power company can just trim trees that endanger the infrastructure. You can even call them if you have a tree that you think needs trimming around power lines, and they will come, assess, and trim it if it needs it.

Where I live, the power company stopped fapping about with trimming. They exercised their state-granted right-of-way rights and took down every tree within 10 meters of their power lines, right down to the ground, and ground out the stumps. Looks better than a bunch of mangled trees, and was extraordinarily effective. There's been no outages in years.

Re:

[stabiesoft]

If you don't mind, can you post (or email me, website is homepage) where you live? I'd like to forward the clearcutting and hopefully some articles about it to my city council. I doubt they will even look, but I just got another inane response to my tree trimming request.

Re:

[Anonymous Coward]

The main thing I want to stop hearing are the moronic Republicans blaming Democrats for the once in a lifetime event. Have the company execs take responsibility, explain the situation, and move on. But stop making it political.

Re:

[geekmux]

I heard that the Colonial pipeline hack was in the billing systems. Perhaps once the scope of the attack was identified, the pipeline should have been restarted without the billing system operational...

Yes, and perhaps it would have been nice to have any sort of leverage to force Colonial pipeline to do exactly that.

We don't have shit to control Greed. We're too busy feeding it instead.

...Colonial losing money might have been a good incentive and penalty for leaving their system so unprotected.

Sadly, they'll change a few passwords and fire someone. When the "penalty" for something like this is increased gas prices, and the financial pain amounted to a farts worth of revenue, don't expect a whole lot of action to take place. At least not the kind of sensible action we're expecting.

Unfortunately, this whole damn

Re:

[sjames]

Or they could have had a sane design where they could generate the billing retroactively from the data about flow collected during the outage of the billing system.

Re:

[MacMann]

I heard that the Colonial pipeline hack was in the billing systems. Perhaps once the scope of the attack was identified, the pipeline should have been restarted without the billing system operational. Colonial losing money might have been a good incentive and penalty for leaving their system so unprotected.

Have you considered the long term implications of this? Let's say the government stepped in and force them to give their fuel away. Now you run the risk of bankrupting the energy sector, and there's nobody willing to sell fuel if the government can just come in to bankrupt them if they are the victim of a foreign hack.

I have some better ideas.

The government could have come in with some kind of financial assistance. The pipeline operators screwed up but people still needed fuel. Fix the problem first the

Re:

[stabiesoft]

The problem was one of scale. On a daily basis the pipeline moves 100M gallons of gas, av gas, fuel oil... a day. I saw where the government did waive certain rules to have some fuel moved via ship. I think I calculated it would take 10 tanker ships a day to replace the pipeline. Not going to happen. And tanker trucks hold only 12K gallons each. So to move 100M gallons, that is around 8 thousand trucks or around 6 trucks every minute. Just unrealistic. It is a problem of scale.

Re:

[drinkypoo]

There are frankly many, many problems involved, and not all of them are related to scale. Some are simply greed.

For example, the oil industry is one of the most profitable on the planet. That's easy when selling fossil fuels because you get to "cheat" by taking advantage of the energy stored in the irreplaceable sources. Since fungus can now consume lignin, there won't be any more, no matter how much time passes.

They COULD build double-walled pipelines that never leak, and then people wouldn't be so resista

Re:

[stabiesoft]

LMAO, oil is not nearly as profitable as software these days. There was a time they were, but that time has long passed. Just ask Larry Page, Larry Ellison, Bill Gates, Zuck, ... Hmm, not seeing any new oil money names on that list. I know /. loves to whipping boy oil, but it was OUR industry that failed. Alex, I'll take Windoze security for 1 billion please.

Re:

[drinkypoo]

IT is limited by management.

The buck stops there.

Re:

[Areyoukiddingme]

The government could have offered help in tracking down the hackers. These were reportedly foreign actors, so found out where they are, lean on the government where they are based, perhaps even threaten a cruise missile down the throats of the hackers if they don't restore the systems.

The attackers are largely Russian or Chinese. You don't go lobbing cruise missiles willy nilly at nuclear powers. Bad Things happen if you do that.

To the gurus out there

[aaarrrgggh]

Aside from promptly de-activating accounts that are no longer necessariy, and a number of bad policies like password changing/re-use/complexity checks and glue like MFA what can companies do to limit the initial foothold WRT employee logins?

Re:

[ShanghaiBill]

Aside from promptly de-activating accounts that are no longer necessariy, and a number of bad policies like password changing/re-use/complexity checks and glue like MFA what can companies do to limit the initial foothold WRT employee logins?

Of the items you listed, any of them would have prevented the problem. Used together, you would have good security.

An additional check could be to only allow logins from known hosts.

For mission-critical systems, remote connections could require port knocking [wikipedia.org].

Re:

[HiThere]

If it's really a critical system, then port knocking is insufficient. Better to avoid remote control entirely, or at least limit it to a particular port on a local network. Even that allows too much scope for attacks, though.

Too many of the answers here only address the particular attack used. Yes, it's good to prevent that particular attack, but they used that one because it was available. It it wasn't, and another was, then they'd use that other one.

Re:

[ShanghaiBill]

Better to avoid remote control entirely

If you ban all remote access, employees will install backdoors so they can get their work done.

The result will be a much less secure system.

Re:

[OpenSourced]

Well, the classical. To access you'll need:

-Something that you know.
-Something that you have.
-Something that you are.

That means a passphrase that you remember, a physical device like a USB key or even a phone, and an iris or face or voice or finger scan. No security is perfect, but that removes you from the suckers' pool, at least.

Re:

[quantaman]

and a number of bad policies like password changing/re-use/complexity checks and glue like MFA what can companies do to limit the initial foothold WRT employee logins?

"password changing/re-use/complexity checks" would probably do nothing to prevent this.

password changing: Could help, but we don't know the time gap between the password being exposed on the 3rd party site and being used in the hack.
re-use: There's nothing you can do to stop someone from re-using a password on another site.
complexity-checks: We don't know how the other site leaked the password, but if they were storing them insecurely it doesn't matter how complex the passwords were.

Re:

[ceoyoyo]

Disable passwords.

Passwords are like a Master padlock. They're useful to encourage a thief to move on to the guy next door that doesn't have one, but not much more than that.

well

[Anonymous Coward]

they didn't breach the pipeline, they breached the billing system. that's why the company shut it all down, they were afraid that without a working billing system people might get some product without getting charged.

imagine if someone managed to hack into the city's electric smart meter system, so the power company just just off the juice to the whole city cause they didn't want anyone to get unmetered power.

Billing system was running in the control room?

[rapjr]

That seems strange, do the pipeline operators adjust fuel flow based on how much cash is coming in? Is this a common practice? Or maybe it was not the billing system that was compromised? I guess it is possible billing would be used to predict required flow rate in some way, but that means any hack of the internet connected billing system has a direct route to controlling fuel flow in the pipeline, which seems rather dangerous. Post some fake orders and suddenly there are millions of gallons of fuel whe

Re:

[CaptainLugnuts]

From what I understand, the pipeline controls were never hacked. The billing system was, and since they didn't know who or how much to bill they shut it down.

Re:

[Rockoon]

Thats not how pipelines work though.

At both ends of the pipeline are the same entity. They do not pump out the fuel in purchased batches because of what happens when you pump fuel.

IT MIXES

Because of the inherent mixing, the pipelines will push as much of a single octane, of a single manufacturer, as is currently available to be pushed. It doesnt just magically arrive at the destination. The pushing must continue. So within the pipeline is miles and miles and miles of shell gasoline, 87 octane, followe

Re:

[wap911]

Sounds like you have never been in a refinery or other pipe line.

They use what are called "pigs" to separate different products.
Once the have pumped so many barrels of product A, the pig gets
inserted, they pump product B.

My dad worked in a refinery for 35 years and retired.

A good friend in the linux club came in right after dad left, they each
had different jobs, and he was the pump engineer and retired just a
few years ago.

Re:

[quantaman]

Sounds like you have never been in a refinery or other pipe line.

They use what are called "pigs" to separate different products.

Once the have pumped so many barrels of product A, the pig gets

inserted, they pump product B.

My dad worked in a refinery for 35 years and retired.

A good friend in the linux club came in right after dad left, they each

had different jobs, and he was the pump engineer and retired just a

few years ago.

I don't think that's quite right.

Pigs are more to do with the pipe than the product [wikipedia.org]. You put them between batches because it cleans some gunk from the pipe walls and avoids contamination that way, but it's not a plug. The thing that avoids mixing isn't the pig, it's the pressure, when the pressure is high and turbulence low the products don't mix much at the interface layer.

Re:

[sound+vision]

No direct route from billing to flow control, from a technological perspective. But from a functional perspective, there certainly is.

Why do they say we need Big Oil? Energy security, abundant gas at the pump.
Why do we actually need Big Oil? Profits for special interests.

It would seem one of these was given precedence in the response to the attack.

The fact that someone in Sales getting their RDP password compromised led to shortages is just another manifestation of that problem. Moreso than anything to do w

Re: Billing system was running in the control room

[flyingfsck]

Pipe lines carry different types of oil products at the same time. The mix of liquids are separated out at the destination. What goes into the pipeline is determined by whoever pays for it. So without knowing who paid for how much of whatever, they donâ(TM)t know what to put into the pipe.

Change password

[fermion]

Said it before with critical infrastructure it is still low tech that wins. And all it gets is molded down to oblivion.

Social engineering, like spoofing a call asking for the security code, to hack a bank account. The Florida water system was a weak password. Back in the day it was a dumbass like me clicking on a email that infected the entire MS network.

We need to have levels of protocols. For personal stuff we can be a little lax. For highly visible targets, we canâ(TM)t.

Re:

[lessSockMorePuppet]

Inputs to infrastructure and industrial machinery need to be by voice, to the operators, from their supervisors. Deep fakes will be an issue going forward if any threat actors get creative.

Output needs to be broadcast only. Front it with a query server that can do on-demand reporting.

If you won't shape the solution correctly, someone will shove it up your ass for you.

Re:

[Tablizer]

And all it gets is molded down to oblivion.

Freudian slip?

So what was it?

[FrizzyHairBear]

..the password?

Re:

[bobstreo]

..the password?

12345?

Re:

[Anonymous Coward]

bigdickfuel

Not joking.

2FA should be

[ttspttsp]

a base standard security implementation on most everything important at this point. It's shameful that they hadn't implemented that yet.

Re:

[Rockoon]

Yes, and it should be real 2 factor not the fake "cell phone" bullshit 2 factor that everyone has been calling 2 factor but its really just 1 factor plus a technical complication.

There is no reason that purpose-specific challenge-answering devices arent being used as a matter of course for corporate and government logins of all kinds. We are talking about devices that cost under a dollar each to manufacture at this point.

Re:

[ceoyoyo]

I have a friend who does some financial management type stuff. She's got a ring of SecureID fobs for logging into bank accounts, and she's handling less money than Colonial paid in ransom.

Re:

[WaffleMonster]

I have a friend who does some financial management type stuff. She's got a ring of SecureID fobs for logging into bank accounts, and she's handling less money than Colonial paid in ransom.

The RSA fobs are insecure. They fail to provide channel binding.

Re:

[ceoyoyo]

Better than a password.

Re:

[WaffleMonster]

Better than a password.

So? While I'm sure a $150k car is "better" than the POS I drive it isn't clear to me why I should care.

One has to consider the threats one is attempting to defend against and make value judgments accordingly. From my perspective I don't see much real world value in the fob schemes. One of the most common threat is phishing attacks which are not stopped by RSA fobs yet easily stopped by a 50 cent smart card.

People often cite persistence as a benefit where fob authorizations are one time only and a stolen

Re:

[ceoyoyo]

So? While I'm sure a $150k car is "better" than the POS I drive it isn't clear to me why I should care.

Ah, the old "perfect is the enemy of good." Voltaire would be proud.

Re:

[MacMann]

That's why I don't do online banking, the banks I have accounts with don't offer 2FA authentication. Or at least didn't the last time I checked.

I'll have people ask me why I don't use online banking since I know so much about computers. It is because I know so much about computers that I don't use online banking. If more people learned what I did about computer security then I expect they'd be reluctant too.

Re: 2FA should be

[flyingfsck]

You need to leave the backward American colonies. European banks are more advanced and use real 2FA.

Build the wall! (Re: 2FA should be)

[MacMann]

You are absolutely right. We need to protect the world from the backwards banks in the USA. We need to wall of the country, ban all immigration, revoke all resident alien visas, send all the foreign students home, and do whatever else we can to keep people out. Our banks are backwards. Our healthcare is terrible. Our public schools will leave your kids stupider with every passing day. There's racist cops that will shoot you dead. Our cars burst into flames. The food tastes bad and the water is poiso

Re:

[sarren1901]

I've tried that logic on the other team as well. They just want us all dead so they can make their perfect paradise. Fortunately for us, there are about as many of us as them so we stay in this little stalemate until something gives.

Re:

[ceoyoyo]

Hey, watch it. Canadian banks also have real 2FA. A banking system that just recently moved away from mag strips and ink signatures is a characteristic of a specific subset of American colonies.

Competency is expensive

[battingly]

It's cheaper to pay insurance premiums, or even pay the occasional ransom, than it is to implement competent security. Nothing will change until this basic arithmetic is altered. For example, legislation that forbids paying the ransom. Unfortunately, we'll all suffer the consequences in the meantime.

No they didn’t.

[JaredOfEuropa]

The hackers didn’t succeed because of a single compromised account. They succeeded because that account was left active, had too many privileges, because they didn’t use 2FA, because they did not have adequate scans for viruses or anomalous network / disk activity, because their backups were inadequate and their procedures weren’t up up to date and rehearsed. And so on. Hackers never get in because of any single thing, it’s a series of failures. And addressing that one failure isn’t going to keep them out for long either.

Re:

[account_deleted]

Comment removed based on user account deletion

How funny

[WindBourne]

Colonial pipeline CEO wants American gov to go after Russians for this attack. Yet, the software group for this was done in India. This is similar to solar winds offshoring in Belarus, and in fact, nearly all major cyberattacks involve companies that offshored the work either to India or eastern Europe. And yet, these CEOs want to blame others. Shesh.

Re:

[ceoyoyo]

If I was going to do something like this, the first thing I would do is book a nice vacation in some country the US dislikes.

multifactor - half factor

[gl4ss]

what irks me about 2fa obsessionism is that the way it's most often implemented just makes it into a half factor authentication. 2fa done with the phone for example, where you can reset the password if you have the phone.

Re:

[WaffleMonster]

what irks me about 2fa obsessionism is that the way it's most often implemented just makes it into a half factor authentication. 2fa done with the phone for example, where you can reset the password if you have the phone.

There is a difference between the bullshit on public websites and multifactor authentication in a corporate setting. Normally the what you have is a smart card or similar technology.

Re:

[geekmux]

what irks me about 2fa obsessionism is that the way it's most often implemented just makes it into a half factor authentication. 2fa done with the phone for example, where you can reset the password if you have the phone.

There is a difference between the bullshit on public websites and multifactor authentication in a corporate setting. Normally the what you have is a smart card or similar technology.

Unfortunately, no you don't find that "normally".

That's why we're still here discussing the effectiveness of ransomware.

Years later.

Re:

[WaffleMonster]

Unfortunately, no you don't find that "normally".

I was commenting on the type of multi factor authentication deployed in these settings not the quantity of it or whether or not it is sufficient.

That's why we're still here discussing the effectiveness of ransomware.

North of 90% of all compromises exploit people not systems.

Re:

[geekmux]

Unfortunately, no you don't find that "normally".

I was commenting on the type of multi factor authentication deployed in these settings not the quantity of it or whether or not it is sufficient.

You stated "normally". That implies frequency. And no, true multi-factor authentication with dedicated hardware, is not popular. We have shitty half-ass SMS auth instead.

That's why we're still here discussing the effectiveness of ransomware.

North of 90% of all compromises exploit people not systems.

People build shitty systems. Until you can blame AI, learn to understand root cause. It was a human decision that didn't expire an exploited password enabled over VPN, and it will likely be a human that is the scapegoat.

Re:

[WaffleMonster]

You stated "normally". That implies frequency.

Frequency with respect to flavor not absolute distribution. What I said was "Normally the what you have is a smart card or similar technology." in the context of flavor of 2FA nobody even broached the topic of absolute penetration of 2FA prior to your response to me.

And no, true multi-factor authentication with dedicated hardware, is not popular.

It is in corporate settings.

People build shitty systems. Until you can blame AI, learn to understand root cause. It was a human decision that didn't expire an exploited password enabled over VPN, and it will likely be a human that is the scapegoat.

Decision making about threats are best based upon statistical evidence not anecdote. The fact of the matter is vast majority of compromises is from people getting tricked into doing something stupid.

Root cause is su

Re:

[geekmux]

...The fact of the matter is vast majority of compromises is from people getting tricked into doing something stupid.

Root cause is subjective and perspective based.

Not it isn't. Root cause in IT is pretty damn simple to figure out. People get tricked into doing something because the actual stupid thing that is exploited, is the system that isn't properly maintained. Audit trails tend to be filled with receipts, making root cause analysis rather simple, and offer an ability to eliminate the lying humans.

You can say the problem was failure to disable account. Someone else could say the failure was caused by lack of integration of employment data with authentication systems. Others could point to enabling process failures as root cause.

From what I can see the one constant thru all successful ransomware attacks (ransom is paid) is lack of isolated backups and inability to perform disaster recovery.

You can say all those things, and you would look like the one pointing fingers. The failure to properly maintain systems is the reason most ransomware executes and

Re:

[WaffleMonster]

Not it isn't. Root cause in IT is pretty damn simple to figure out.

Yes it is and there is rarely ever a single cause. Even in this particular case nobody even knows how the credentials were even obtained in the first place. A bit premature to wave mission accomplished banner when you don't even know how the leak even occurred.

People get tricked into doing something because the actual stupid thing that is exploited, is the system that isn't properly maintained.

The maintenance of systems has little to do with people being tricked into screwing them up. You can keep everything patched and vigorously manage account databases and all of that goes out the window the second someone does something stupid.

Some r

Re:

[timeOday]

"If you have the phone" is what makes it a second factor.

"Guessing" a Username

[burni2]

- look names up at xing/linkedin
- send eMail to
lookedupfirstname DOT lookeduplastname AT Maroonedcampowny.com

or

lookedupfirstname_initial DOT lookeduplastname AT Maroonedcampowny.com

and wait till you don't get a "Unkown-Error" User this eMail-Adress or the name part for the username+password

btw.
They had the password in that stash, there must also be the username in there or it was in a second database which connected password -> name or eMail

ps.
This post is written that way because of the fucking lame lam

Democrats still think we don't need pipelines?

[MacMann]

We saw a failure of gasoline pipelines bring considerable economic damage to the east coast. Texas had people die from pipeline failures in a winter storm. Would it not be wise to build more pipelines for redundancy? To bring more capacity so that if some capacity is lost for some reason that we don't see people freeze to death in their own homes? Or emergency vehicles sitting idle when needed because the tanks ran dry?

The Democrats caved on opposing nuclear power last summer and now support it. My gue

Re:

[ArchieBunker]

People died in Texas because the state gutted their regulatory agency and sued the feds in order to maintain their own grid. Cronies were put in charge of the agency who can only recommend changes, not mandate them. So a winter storm caused rolling blackouts in 2011 and winterization plans were recommended. This being Texas, the plants said that's a good idea but we're not going to do it. Fast forward 10 years and it happens again but much worse. Was anything learned from the last disaster? I doubt it. Here

Cyber BS ..

[takionya]

> .. Hackers gained entry .. through a virtual private network account .. said .. FireEye Inc. ..

Too important for private business

[petes_PoV]

Does this attack and its after effects illustrate that even though almost all assets are in the commercial domain, many still count as "strategic"?

If so, then there is a compelling argument to the effect that control of them and access to them should require military / defence grade security (and personnel). That is, if they should even be allowed on the public internet, at all?

VPN conspiracy

[WaffleMonster]

Never actually witnessed anyone ever properly configure VPN access. There is always something fucked up about it egged on by vendors offering an wide array of fucked up options that devolve into group keys, insufficient cert constraints and comically insecure authentication.

I half jokingly believe VPN servers are intentionally designed this way because conspiracy to allow shadowy TLAs to break into them. Then again the very concept of VPNs and implied castle defense are fundamentally flawed from the start.

Re:

[ceoyoyo]

Close all the ports and tunnel whatever the VPN wants over SSH. SSH with passwords disabled, of course.

Dubious...

[ArkiMage]

Not buying it... I doubt they were "targeted" or "breached" as described. It's far more likely an employee clicked something in an email and the malware was introduced to internal systems that way. This is just damage control...

Go after colonial ?

[jmccue]

In the wake of the attack on his company, Blount said he would like the U.S. government to go after hackers

And how about going after Colonial for such poor security practices ? Until these companies pay real money and pay often, they will never hire and listen competent Security Professionals. Why, that costs $

57 years ago...

[bill_mcgonigle]

Could the pipeline have been shut down by Windows malware?

No - they have shot themselves in the foor.

could be angry ex-employee

[clovis]

Another possibility is the ex-employee sold his credentials to the attackers. They advertise for this, and there is no shortage of angry ex-employees.
But it still comes back to basic failure on the part of the admins. When someone leaves, their account should be dead that day.
And it astonishes me that there are still people who run vpn' s without some sort of 2fa.
As bad as sms text 2fa is, it probably would have prevented the Colonial attack.

Re:

[aaarrrgggh]

Prevented the attack, or required a different vector? MFA adds friction for the attack, but doesn’t make it impossible. We have some credentials that don’t require MFA as part of our DR plan, and the wording in the summary makes me think that you could have something similar going on here. (Our DR credentials are secured in different ways, and held in paper form by CEO and CFO in sealed envelopes as an example.)

End the Safe Havens

[herbierobinson]

We won't stop these attacks if the criminal organizations promulgating them have safe havens the can hide in. We have to fight back by offering a presidential pardon and US citizenship to anyone who hacks he dictators shielding the hackers. Sign this petition. [chng.it]